Critical Microsoft bug from 2024 under exploitation • The Register

A critical SQL injection vulnerability in Microsoft Configuration Manager that was patched in October 2024 is now being actively exploited by attackers, according to the US Cybersecurity and Infrastructure Security Agency (CISA). The agency has added CVE-2024-43468 to its Known Exploited Vulnerabilities catalog, setting a March 5 deadline for federal agencies to deploy the patch.

The vulnerability, which carries a severity rating of 9.8 out of 10, exists in Microsoft Configuration Manager, a tool IT administrators use to manage organizations' Windows-based servers and laptops. The flaw allows unauthenticated, remote attackers to execute commands on the server and/or underlying database, making it a severe security risk that requires immediate attention.

French cybersecurity firm Synacktiv's red teamer Mehdi Elyassa discovered and reported the bug to Microsoft. Despite being patched 16 months ago, the vulnerability is now under active exploitation, highlighting the ongoing risks organizations face when failing to apply security updates promptly.

Microsoft initially deemed the vulnerability as having "exploitation less likely" when it disclosed the bug in October 2024. The company's security update still lists the vulnerability as not being under attack. However, the situation has changed dramatically since then, with at least two proof-of-concept exploits published publicly.

The timing of this revelation is particularly challenging for IT administrators, coming during a week already packed with security concerns. Microsoft recently issued 117 patches, including fixes for six zero-day vulnerabilities that were already under attack when the patches were released. The company also addressed 30+ Chrome extensions disguised as AI chatbots that were stealing users' API keys, emails, and other sensitive data.

For organizations still running unpatched versions of Microsoft Configuration Manager, the risk is immediate and severe. The vulnerability's CVSS score of 9.8 indicates it's among the most critical security flaws, capable of allowing attackers to gain complete control over affected systems without authentication.

CISA's decision to add this vulnerability to its catalog underscores the seriousness of the threat. Federal agencies must now prioritize patching this specific vulnerability by the March 5 deadline, while private sector organizations should treat it with equal urgency.

The exploitation of this 16-month-old vulnerability serves as a stark reminder that patch management remains one of the most critical security practices for organizations of all sizes. Even vulnerabilities that initially appear to have low exploitation risk can become serious threats as attackers develop new techniques and tools.

IT administrators should immediately assess their Microsoft Configuration Manager deployments and apply the October 2024 patch if they haven't already done so. Given that proof-of-concept exploits are now publicly available, the window for preventing attacks is rapidly closing.

This incident also highlights the importance of maintaining comprehensive vulnerability management programs that track not only newly discovered vulnerabilities but also previously patched flaws that may become targets as exploitation techniques evolve. Organizations that maintain rigorous patch management schedules are significantly better positioned to defend against such threats.

The convergence of this newly exploited vulnerability with Microsoft's regular Patch Tuesday updates creates a perfect storm of security challenges for IT teams. With six actively exploited zero-days and now this critical SQL injection flaw, administrators face an unprecedented workload in securing their environments.

As the cybersecurity landscape continues to evolve, the gap between patch availability and actual deployment remains one of the most significant security challenges organizations face. This latest incident demonstrates that even well-known vulnerabilities can become serious threats when attackers finally develop effective exploitation techniques.